Cryptology ePrint Archive: Report 2009/588

Abstract: Encrypt-and-sign, where one encrypts and signs a message in
parallel, is usually not recommended for confidential message
transmission. The reason is that the signature typically leaks
information about the message. This motivates our investigation of
confidential signature schemes, which hide all information about
(high-entropy) input messages. In this work we provide a formal
treatment of confidentiality for such schemes and a comprehensive
discussion of the relationship of different notions we propose. We
give constructions meeting our notions, both in the random oracle
model and the standard model. As part of this we show that full
domain hash signatures achieve a weaker level of confidentiality
than Fiat-Shamir signatures. We then revisit the connection of
confidential signatures to signcryption schemes. We give formal
security models for deterministic signcryption schemes for
high-entropy and low-entropy messages, and prove encrypt-and-sign to
be secure for confidential signature schemes and high-entropy
messages. Finally, we show that one can derandomize any signcryption
scheme in our model and obtain a secure deterministic scheme.